A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. Exploited machines can include computers and other networked resources such as IoT devices. From a high level, a DDoS attack is like a traffic jam clogging up a highway, preventing regular traffic from arriving at its desired destination.
A DDoS attack requires an attacker to gain control of a network of online machines in order to carry out an attack. Computers and other machines—such as IoT devices—are infected with malware, turning each one into a bot. The attacker then has remote control over the group of bots, which is called a botnet.
Once a botnet has been established, the attacker is able to direct the machines by sending updated instructions to each bot via a method of remote control. When the IP address of a victim is targeted by the botnet, each bot will respond by sending requests to the target, potentially causing the targeted server or network to overflow capacity, resulting in a denial-of-service to normal traffic. Because each bot is a legitimate Internet device, separating the attack traffic from normal traffic can be difficult.
Different DDoS attack vectors target varying components of a network connection. In order to understand how different DDoS attacks work, it is necessary to know how a network connection is made.
A network connection on the Internet is composed of many different components or “layers”. Like building a house from the ground up, each step in the model has a different purpose. The OSI model is the framework used to describe network connectivity in 7 distinct layers.
Figure 1: OSI Model
While nearly all DDoS attacks involve overwhelming a target device or network with traffic, attacks can be divided into three categories. An attacker may use one or multiple different attack vectors, or cycle attack vectors based on countermeasures taken by the target.
The goal of these attacks is to exhaust the resources of the target. The attacks target the layer where web pages are generated on the server and delivered in response to HTTP requests. A single HTTP request is cheap to execute on the client-side, but it can be expensive for the target server to respond to as the server often must load multiple files and run database queries in order to create a web page. Application layer attacks are difficult to defend as the traffic can be difficult to flag as malicious.
An HTTP flood attack is like pressing refresh in a web browser over and over on many different computers at once—large numbers of HTTP requests flood the server, resulting in denial-of-service. This type of attack ranges from simple to complex. Simpler implementations may access one URL with the same range of attacking IP addresses. Complex versions may use many attacking IP addresses and target random URLs.
Protocol attacks, also known as state-exhaustion attacks, cause a service disruption by consuming all the available capacity of web application servers or intermediate resources like firewalls and load balancers. Protocol attacks utilize weaknesses in layer 3 and layer 4 to render the target inaccessible.
An SYN Flood is analogous to a worker in a supply room receiving requests from the front of the store. The worker receives a request, goes and gets the package, and waits for confirmation before bringing the package out front. The worker then gets many more package requests without confirmation until they can’t carry any more packages, become overwhelmed, and requests start going unanswered.
This attack exploits the TCP handshake by sending a target a large number of TCP “Initial Connection Request” SYN packets with spoofed source IP addresses. The target machine responds to each connection request and then waits for the final step in the handshake, which never occurs, exhausting the target’s resources in the process.
This category of attacks attempts to create congestion by consuming all available bandwidth between the target and the larger Internet. Large amounts of data are sent to a target by using a form of amplification or another means of creating massive traffic, such as requests from a botnet.
A DNS Amplification is like an HTTP Flood attack, but with an added exponential response component. For example, if you and 20 of your friends all called the same pizza place and ordered 50 pies at the same time, that pizza shop would not be able to fulfill those requests. Volumetric attacks operate on the same principle. They request something from the target that will vastly increase the size of the response, and the amount of traffic explodes and clogs up the server.
By making a request to an open DNS server with a spoofed IP address (the real IP address of the target), the target IP address then receives a response from the server. The attacker structures the request such that the DNS server responds to the target with a large amount of data. As a result, the target receives an amplification of the attacker’s initial query.
The key concern in mitigating a DDoS attack is differentiating between attack and normal traffic. Mitigating a multi-vector DDoS attack requires a variety of strategies in order to counter different trajectories. The more complex the attack, the more likely the traffic will be difficult to separate from normal traffic—the goal of the attacker is to blend in as much as possible, making mitigation as inefficient as possible.
Mitigation attempts that involve dropping or limiting traffic indiscriminately may throw good traffic out with the bad, and the attack may also modify and adapt to circumvent countermeasures. In order to overcome a complex attempt at disruption, a layered solution will give the greatest benefit.
One solution available to virtually all network admins is to create a blackhole route and funnel traffic into that route. In its simplest form, when blackhole filtering is implemented without specific restriction criteria, both legitimate and malicious network traffic is routed to a null route and dropped from the network. If an Internet property is experiencing a DDoS attack, the property’s Internet service provider (ISP) may send all the site’s traffic into a black hole as a defense.
Limiting the number of requests a server accepts over a certain time window is also a way of mitigating denial-of-service attacks. While rate limiting is useful in slowing web scrapers from stealing content and for mitigating brute force login attempts, it alone will likely be insufficient to handle a complex DDoS attack effectively. Nevertheless, rate limiting is a useful component in an effective DDoS mitigation strategy.
A Web Application Firewall (WAF) is a tool that can assist in mitigating an application layer DDoS attack. By putting a WAF between the Internet and an origin server, the WAF may act as a reverse proxy, protecting the targeted server from certain types of malicious traffic. By filtering requests based on a series of rules used to identify DDoS tools, application-layer attacks can be impeded. One key value of an effective WAF is the ability to quickly implement custom rules in response to an attack.
Just like everything else in computing, DDoS attacks are evolving and becoming more destructive to businesses. Attack sizes are increasing, growing from 150 requests per second in the 1990s—which would bring a server of that era down—to the recent DYNDNS attack and GitHub attack at 1.2 TBs and 1.35 TBs respectively. The goal in both attacks was to disrupt two major sources of productivity across the globe.
These attacks used new techniques to achieve their huge bandwidth numbers. For example, the Dyn attack used an exploit found in IoT devices to create a botnet, called the Mirai Botnet attack. Mirai used open telnet ports and default passwords to take over WiFi-enabled cameras to execute the attack. This attack presented a major vulnerability that comes with the proliferation of IoT devices.
The Mirai Botnet attack shows a significant risk of future exploits, especially as the IoT universe continues to grow. How fun would it be for your fridge to be part of a botnet? Hence it is crucial to be able to secure your machines and be able to authenticate them effectively.